McColo takedown: Internet self policing or vigilantism
- — 02 December, 2008 09:01
McColo hosted a staggering variety of cybercrime activity, according to a group of researchers who said they had documented the company's practices for more than two years. In addition to hosting Web sites that spewed out huge quantities of spam, McColo is alleged to have hosted child pornography and counterfeit pharmaceutical sites, as well as command-and-control servers for some of the Internet's biggest botnets.
McColo was kicked offline after The Washington Post gave the company's upstream service providers information about its alleged hosting activities that the Post had gathered from the security researchers.
Benny Ng, director of infrastructure at Hurricane Electric, an ISP that was one of McColo's service providers, said his company's decision to pull the plug was based solely on what it was given by the Post . According to Ng, the decision was straightforward because what McColo was doing was against Hurricane Electric's terms of service.
The fear of ending up on an Internet blacklist is also a powerful motivator in such cases. The blacklists maintained by StopBadware.org and other groups are used by many security vendors and corporate IT departments as part of their efforts to block spam and malware. As a result, ending up on the lists can have drastic consequences for an ISP or Web site.
Blacklist groups "basically have you over a barrel," said an executive at a hosting firm who asked not to be named. "So yes, we do pay attention to them."
However, in both the McColo and Intercage cases, the only role the security community played was to collect evidence showing that the two companies were hosting clients involved in all sorts of criminal activity, said Garth Bruen, founder of the antispam group KnujOn.
The decisions to pull the plug on the hosting firms were made solely by the upstream service providers, Bruen noted. "That was their choice to do it," he said. "We just gave them the information to help them make up their mind."
What's going on is "a little closer to vigilance than it is to vigilantism," StopBadware.org's Weinstein said in an interview. The security researchers who track alleged bad apples "are not inciting specific action against any company," he added. "What they're doing is publishing data and putting it in front of people who are making these decisions."
Often, though, it's hard to know for sure if a hosting company is complicit in the illegal activities taking place on its networks, or the extent of its culpability if it is aware of them, Weinstein acknowledged. "That's definitely a concern," he said. "But I don't think there's an easy answer to it."